- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Fri, 17 Nov 2017 09:51:04 +0000
- To: public-webauthn@w3.org
@balfanz wrote:
> re/ "these are not attestation types": I think they are. The point of this parameter here is to help the client decide which of the attestation types defined in Section 6.3.3. ("Attestation Types") should be returned to the RP
Actually, in thinking about this further I would use the term `attestationConveyancePreference` rather then `attestationPresentationPreference` because it seems to me that that is what this is in regards to, rather than "attestation type" (after having gone back and re-read the several paragraphs beginning here: [attestation type](https://w3c.github.io/webauthn/#attestation-type)).
* none - do not convey the attestation statement and AAGUID from the authenticator, and RP do not attempt to validate it the attestation statement.
* indirect - client, and perhaps other 3d party, may alter the attestation statement.
* direct - convey to the RP the authenticator's attestation statement and AAGUID.
I think that the blinding performed in the none case introduces an new [attestation type](https://w3c.github.io/webauthn/#attestation-type) which we ought to add to the [attestation types list](https://w3c.github.io/webauthn/#sctn-attestation-types).
Also, the present "privacy CA" attestation type ought to be name-changed to Attestation CA per TCG's specs and made clear that it is TCG-specific, and perhaps add another attestation type of "privacy CA" ( or someother name? attestation proxy? blinding proxy?) i.e. the Chrome-proposed attestation type, which is not a TCG TPM attestation CA because (at least) it is the client who is employing it, not a TPM-based authenticator.
--
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-345196396 using your GitHub account
Received on Friday, 17 November 2017 09:51:12 UTC